You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

91 lines
3.3 KiB

- name: "Create required directories in /etc/letsencrypt"
file:
path: "/etc/letsencrypt/{{ item }}"
state: directory
owner: root
group: root
mode: u=rwx,g=x,o=x
with_items:
- account
- certs
- csrs
- keys
- name: "Generate a Let's Encrypt account key"
shell: "if [ ! -f {{ letsencrypt_account_key }} ]; then openssl genrsa 4096 | sudo tee {{ letsencrypt_account_key }}; fi"
args:
creates: "{{ letsencrypt_account_key }}"
- name: "Generate Let's Encrypt private key"
shell: "openssl genrsa 4096 | sudo tee /etc/letsencrypt/keys/{{ site_url }}.key"
- name: "Generate Let's Encrypt CSR"
shell: "openssl req -new -sha256 -key /etc/letsencrypt/keys/{{ site_url }}.key -subj \"/CN={{ site_url }}\" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf \"\n[SAN]\nsubjectAltName=DNS:{{ site_url }}\")) | sudo tee /etc/letsencrypt/csrs/{{ site_url }}.csr"
args:
executable: /bin/bash
- name: "Begin Let's Encrypt challenges"
letsencrypt:
acme_directory: "{{ acme_directory }}"
acme_version: "{{ acme_version }}"
account_key_src: "{{ letsencrypt_account_key }}"
account_email: "{{ admin_email }}"
terms_agreed: 1
challenge: "{{ acme_challenge_type }}"
csr: "{{ letsencrypt_csrs_dir }}/{{ site_url }}.csr"
dest: "{{ letsencrypt_certs_dir }}/{{ site_url }}.crt"
fullchain_dest: "{{ letsencrypt_certs_dir }}/fullchain_{{ site_url }}.crt"
remaining_days: 91
force: yes
register: acme_challenge_domain
- name: "Create .well-known/acme-challenge directory"
file:
path: /var/www/html/{{ site_url }}/.well-known/acme-challenge
state: directory
owner: root
group: root
mode: u=rwx,g=rx,o=rx
- name: "Implement http-01 challenge files"
copy:
content: "{{ acme_challenge_domain['challenge_data'][item]['http-01']['resource_value'] }}"
dest: "/var/www/html/{{ acme_challenge_domain['challenge_data'][item]['http-01']['resource'] }}"
owner: root
group: root
mode: u=rw,g=r,o=r
with_items:
- "{{ site_url }}"
when: acme_challenge_domain['challenge_data'][item] is defined
- name: "Use challenge Apache conf"
template:
src: apache-challenge-site.conf
dest: /etc/apache2/sites-available/{{ site_url }}.conf
owner: root
group: root
mode: u=rw,g=r,o=r
- name: "Enable site"
shell: a2ensite {{ site_url }}
- name: "Restart Apache"
service:
name: apache2
state: restarted
- name: "Complete Let's Encrypt challenges"
letsencrypt:
acme_directory: "{{ acme_directory }}"
acme_version: "{{ acme_version }}"
account_key_src: "{{ letsencrypt_account_key }}"
account_email: "{{ admin_email }}"
challenge: "{{ acme_challenge_type }}"
csr: "{{ letsencrypt_csrs_dir }}/{{ site_url }}.csr"
dest: "{{ letsencrypt_certs_dir }}/{{ site_url }}.crt"
chain_dest: "{{ letsencrypt_certs_dir }}/chain_{{ site_url }}.crt"
fullchain_dest: "{{ letsencrypt_certs_dir }}/fullchain_{{ site_url }}"
data: "{{ acme_challenge_domain }}"
force: yes